spectral icon indicating copy to clipboard operation
spectral copied to clipboard

Published 20 hours ago verified publisher icon stoplightio

Node.js 21+: DeprecationWarning: The `punycode` module is deprecated from `@stoplight/spectral-runtime`

Open silverwind opened this issue 1 year ago • 8 comments

@stoplight/spectral-runtime and @stoplight/json-ref-readers indirectly depend on node-fetch@2 and [email protected] which triggers a runtime deprecation warning in Node.js 21 and above. As per https://github.com/node-fetch/node-fetch/pull/1793#issuecomment-1839050150, the likely only option is to upgrade to node-fetch@3:

Warning:

(node:77383) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.

Occurence:

$ rg require.+punycode node_modules/tr46/index.js
3:var punycode = require("punycode");

Dependency tree:

└─┬ @stoplight/[email protected]
  └─┬ @stoplight/[email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └── [email protected]

silverwind avatar May 14 '24 16:05 silverwind

Please, any update on this?

karolvaclavik avatar Sep 19 '24 06:09 karolvaclavik

When will this issue be solved?

Diana-Potlog avatar Jan 13 '25 17:01 Diana-Potlog

It doesn't seem to happen all the time, just with certain rulesets? What exactly is triggering this error?

dret avatar Jan 28 '25 18:01 dret

Here is my ruleset in case it matters. It happens while linting a OpenAPI 3.0 file.

extends: [[spectral:oas, all]]

rules:
  contact-properties: off
  info-license: off
  license-url: off
  oas3-api-servers: off
  oas3-parameter-description: off
  openapi-tags: off
  operation-description: off
  operation-tag-defined: off

silverwind avatar Jan 28 '25 18:01 silverwind

Here is my ruleset in case it matters. It happens while linting a OpenAPI 3.0 file.

That's interesting because it doesn't even define rules, it just switches some off. For me, running Spectral with the built-in ruleset works, but using a --ruleset seems to trigger the error. I haven't experimented with it, though.

dret avatar Jan 28 '25 18:01 dret

It is a runtime deprecation in Node.js, these only log when actual code is being ran. The dependency trace above shows it's coming from node-fetch, so I guess in your case, it does not fetch anything so never hits the deprecation.

Why this validator needs to fetch in first place, is another question. Imho such a validator should work offline too.

silverwind avatar Jan 28 '25 19:01 silverwind

I assume reading any ruleset will be done through node-fetch, which apparently in newer versions of node could be replaced with a native fetch.

What I am wondering: If this happens whenever a ruleset is accessed this error should happen a lot, but it doesn't seem to affect many. Is it just that most are using older versions of node? From what I understand punycode was removed in node 11+, so this problem only happens with those versions. But node 11 was released in October 2018, so I would assume many should have newer versions and run into the same error?

dret avatar Jan 29 '25 08:01 dret

See https://nodejs.org/api/deprecations.html#dep0040-nodepunycode-module:

v21.0.0 Runtime deprecation. v16.6.0 Added support for --pending-deprecation. v7.0.0 Documentation-only deprecation.

silverwind avatar Jan 29 '25 15:01 silverwind